Glitches in the matrix: Shaky technologies, contract conundrums make Aadhaar a disaster

[dropcap]T[/dropcap] he 38-day hearing of Aadhaar challenge has marked itself in Indian legal history as the second longest heard case by the Supreme Court, after the Keshavananda Bharti case. Each of the petitions (31 of them!), brought out aspects of the Aadhaar scheme and Aadhaar Act that struck at the core of the fundamental right to privacy and right to life.

Fingerprint, iris and face form the principal biometric attributes on which Aadhaar’s authentication system is based. The fingerprint, iris and face scan would be collected during enrolment and mapped into a template. After enrolment, every time an Aadhaar number holder provides her fingerprint, it would be compared with the template to verify the identity of the Aadhaar number holder. While fingerprint is stated to be unique for each individual, the algorithm needn’t necessarily capture all unique features of the fingerprint and is not fallible in the sense that no two templates could be similar or identical. The algorithm also fails when the fingerprints fade out, like in the case of senior citizens and persons engaged in manual labour.

One of the petitioners, Colonel Mathew Thomas, had challenged the Aadhaar scheme stating that it was based on an inherently fallible technology of biometric matching. Col Mathew, whom you’ll find to be reading a new book every time you meet him, picked up on the issue of Aadhaar from its inception. Extensive work on programming and production planning during his service with the army, and later his association with the Food and Civil Supplies Department, contributed to his understanding that large-scale real-time collection of data, particularly relating to human features, would not only be difficult but also prone to errors. He also challenged Aadhaar scheme stating that the data of the Aadhaar enrolees was not protected as a result of a contract between the Government of India and three foreign entities for licencing technology related to Aadhaar enrolment and biometric authentication.

The fallible technology: Wash hands, don’t blink, sit still

From 2009 onwards, several government committees were set up to look into the feasibility of use of biometrics for authentication. The 2009 Report of the Unique Identity Authority of India’s (UIDAI) Biometrics Standard Committee had strongly recommended carefully designed experiments and proper statistical analysis to formally predict the accuracy of biometric systems for Indian rural, and urban environments.

UIDAI’s Enrolment Proof of Concept Report of 2010 also noted that in a dataset of 60,000 persons, they had found False Negative Identification Rate (i.e. wrongly indicating that the Aadhaar number does not correspond to the input biometric) to be 0.01 percent even when ten fingers and two irises were used for authentication. A small number as it may seem, when pitted against the total number of existing 1.2 billion enrolments would indicate a whopping 1.2 lakh false negative identification. However, this did not stop the roll-out of the Aadhaar scheme and issuance of the first Aadhaar number in 2010.

December, 2011 and the red-flags continued to pop-up. The 42nd Parliamentary Standing Committee on Finance noted that full or near full coverage of marginalised sections for issuing Aadhaar numbers could not be achieved as about 15% failure of biometrics is expected due to a large chunk of population being dependent on manual labour. The Committee Report also disapproved of the hasty manner in which the Aadhaar Project was rolled without looking at the feasibility of the Project with a huge population such as that of India.

Even in 2012, the findings in Reports showed considerable error rates and false negatives. UIDAI’s report titled “Role of Biometric Technology in Aadhaar Enrolment” published in 2012, had pointed out a false negative identification rate of 0.035% (i.e. about 4.2 lakh for 1.2 billion enrolments).

Interesting to note is that during the proceedings of the challenge, the CEO of UIDAI had submitted his authentication records with the Court, giving an example of what all data is collected under authentication history of an Aadhaar number holder. The authentication history detailed the mode of authentication, date, time, Authentication User Agency name, UIDAI response code, Authentication User Agency transaction ID, authentication response and UIDAI error code. The record showed 26 attempts, of which 5 attempts failed. Therefore, in the case of authentications attempted by the CEO himself, there has been a failure rate of about 19.2%.

When it came to testing the feasibility of using Iris for authentication, the UIDAI’s Iris Authentication Study was based on a seriously flawed concept – that iris quality does not change over time. There is considerable work in this field which indicates that considerable evidence of an effect of ageing on Iris.

The mounting evidence of false negatives and false positives reported over the years from all across the country seemingly pushed UIDAI to introduce face recognition as another parameter to be used along with another mode of authentication (i.e. demographic details, fingerprint, iris scan, a one-time password). This technology would also work similar to that of the fingerprint identification technology. The algorithm identifies certain features of the face and makes a template. This template would be used during future authentications to determine whether your face matches with that in the Aadhaar database.

Most of the images during the Aadhaar enrolment process were captured using web cameras in average lighting conditions in absence of fixed standards and guidelines. Using face recognition is poor quality images has a potential for high inaccuracy rate. Moreover, no proof of concept study has been undertaken to determine the feasibility of use of facial recognition, especially vis-à-vis parameters such as ageing and accidents. Even if one is to argue that modern technology allows highly advanced forms of facial recognition, let’s not forget the fact that Apple’s sophisticated face ID technology introduced last year, was also fooled by a simple 3-D face mask acting as the artificial twin.

Deterministic algorithm

The government has claimed that the algorithm used in the Aadhaar system is a deterministic algorithm. That is since the authentication process simply matches the input biometric with the existing template, the 1:1 matching ensures better precision. While the UIDAI at one instance submitted that the Aadhaar technology is not a learning algorithm, in the context of defending the fallibility of biometrics, it had submitted that constant research on the algorithm ensures constant updates of the system. If one is to assume that these updates would never introduce a learning algorithm, the question remains as to what system or which authority would ensure this.

Chin up

In absence of a large-scale study analysing the viability of an identification system based on biometrics, and numerous reports of authentication failure, one seeks to question the very premise of the Project. Failure of authentication and the resulting denial of services are only triggering stop-gap solutions. If fingerprints are prone to failure, introduce iris-based authentication, if that fails – use a one-time password, and if that also fails, why not try face recognition?

Could more biometric parameters like DNA also be added to this list? The Aadhaar Act does define “biometric information” broadly to include other biological attributes of an individual as may be specified by the UIDAI in regulations. During the hearing of the Aadhaar challenge, the Court had also noted the broad definition of biometric information and questioned whether features such as DNA could also be added to this category. The government had responded that if it is overbroad, any additions may be subject to Court’s review. Just as this was being discussed, one could hear whispers in the background talking of China’s move to collect DNA and other biometric information of the residents of Xinjiang.

Can a system that is set out to ensure access to basic services and subsidies ensuring day to day living, be based on improvisation and update? Perhaps, wash your hands till it’s fixed.

The contract conundrum

During his endeavours to understand the Aadhaar system better, Col. Mathew filed an RTI application seeking details of the country of origin of the companies with whom the government had entered into a contract for licencing technology to be used in Aadhaar Project. He claims that the government’s reply stated that the country of origin of these companies cannot be determined. Later through another RTI application, he was able to procure copy of the contract entered between the Government of India and the foreign entities.

In 2010, the Government of India entered into different agreements with three foreign Biometric Solution Providers (BSPs), namely M/S L1 Identity Solutions, M/S Morpho and Accenture. These contracts required the BSPs to provide services, design, supply, and implementation of biometric solution for UIDAI. That is, the BSPs were to provide the technology that would facilitate biometric enrolment for Aadhaar and also be used in the authenticating the identity of an Aadhaar number holder.

These BSPs continue to be the proprietors of the technology in question. For the continued use of the technology in the Aadhaar system, the licence has to be renewed from time to time. The Government of India entered into a contract with L-1 for design, supply and implementation of biometric matching services in 2010. This contract was to be valid for a period of two years or till the completion of 20 crore enrolments, whichever was earlier. Assuming 20 crore enrolments were not completed before end of two years, the contract would have continued to operate till at least July 30, 2012.

Data security measures

Colonel Mathew Thomas had argued in his petition that the Government of India entered into a contract with foreign agencies without putting into place any data security measures. Further, in the absence of any law regulating data protection, the contract for licencing technology with third parties like L-1 miserably failed to ensure that the personal data of millions of Indian enrolled for Aadhaar number is protected. It was argued that the contract itself acknowledged that L-1 would have access to fingerprint, iris, face photograph and demographic information, or any data such as verifying documents of the nature of passport copy, PAN card copy etc, of Indian residents who were being enrolled for Aadhaar.

During the process of enrolment, the system would have to run through the un-encrypted format of the biometric database to ensure that there is no duplicate enrolment. The contract did provide that L-1 would process this data subject to applicable law and regulation, but in the absence of any data protection regulation at the time of the contract, L-1 had the free hand to use the data collected in whichever manner it wanted.

Allowing local storage of data

The contract also provided for L-1 to submit the data to the Central Identity Data Repository (CIDR) server in batches, clearly indicating that the data was not shared with the CIDR in real time. This was also supported by the provision allowing L-1 to locally store the data in a reference database (this reference database was in addition to the disaster recovery database). The contract was also stated to be silent on how this local database was to be maintained. Therefore, there were (and continue to be) multiple copies of the sensitive personal information of Indian residents, with no legal framework regulating their usage, processing or protection.

Over retention of Aadhaar data

Though the contract was for a term of two years, it allowed L-1 to retain documents arising out of, or related to the contract, and the data (including information about Indian residents) for up to 7 years. Such extended retention of data, particularly in absence of any liability in case of misuse of data, raises questions over the intent of such a provision.

National security implications

Colonel Mathew Thomas in his petition had raised serious concerns over national security by pointing out that subsequent to the contract between L-1 and the Government of India, L-1 was acquired by, Safran, a French defence conglomerate. It was also pointed out that L-1’s board of directors included former FBI agents, chief of CIA and members of US Homeland Security.

View from the other side

While the Union of India did agree that it entered into contracts with the three identified foreign entities, it claimed that these contracts were turnkey contracts. It submitted that BSPs were only providing the technology required for the Aadhaar system and that the hardware and servers being used belonged to UIDAI. In fact, during his power point presentation before the Constitution bench, the CEO of UIDAI, submitted that the contracts were akin to that of Microsoft Operating System licences used on a day to day basis.

UIDAI had submitted that BSPs holding the intellectual property in the software does not affect the security of the data in CIDR. They submitted that the biometric data is stored offline and cannot be accessed by the BSPs. The Union emphasising on the measures taken to ensure security of the CIDR had submitted that a “13 feet high wall had been built around the CIDR”, much to everyone’s amusement in Court. UIDAI further argued that the contract provided that the government would have the sole ownership and the right to use all the data pertaining to residents.

Responding to petitioner Col. Thomas’ submissions on BSPs having access to the Aadhaar data, UIDAI had submitted before the Supreme Court that the access to server room is regulated and that entry to the server room is protected by the Central Armed Police Forces. Further, it added that manual adjudication by authorised UIDAI officials is undertaken in case an error or duplicate is indicated during the enrolment process. UIDAI further submitted that the enrolment data is converted into templates and then stored offline.

UIDAI also argued that the clause pointed out by the petitioner Thomas allowed retention of data by the BSPs actually granted the discretion to the UIDAI to share such data with the BSPs. It was submitted that such discretion was not exercised. Submitting that the data stored in the CIDR is secure, the counsel for UIDAI had also thrown an open challenge to the petitioners to access his Aadhaar related data. (Never mind the fact that under the Aadhaar Act, an unauthorised access to the CIDR is punishable by imprisonment for a term which may extend to three years and a fine not be less than ten lakh rupees.)

Data, data, everywhere?

Clearly, the issue of contract between the foreign entities and the Government of India is not the blue-black or white-golden dress debate. The contracts between the Government of India and the foreign entities have to be looked at in detail. While the Union has claimed that the foreign entities did not have access to data, they have not denied the provision for localised storing of the data by the foreign entities. Further, the Union has adduced no technology/software audit reports to indicate that there has been no unauthorised processing/use of data by the BSPs. No record has been shown that indicates the BSPs to have destroyed all data that was collected during the course of the contract.

It is also pertinent to note that while the contract stated that the data collected under the contract would be subject to applicable law and regulation, there was no law regulating data protection (such as biometric data) in 2010. Even the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, which regulate privacy and disclosure of sensitive personal information, came into force in 2011 much after the commencement of the contract.

Is it correct to compare the licence for software for enrolment and de-duplication using biometric to that granted to the users of Microsoft operating systems? While access to Microsoft operating software would require a one-time key, as against the software being provided by the BSPs that requires biometric matching each time access to a service is requested. A user has the option to choose which operating system to use or not use one at all, whereas an Aadhaar enrolee does not even know which BSP’s software is being used to process her data.

While the Government has much emphasised on the physical security measures in the form of tall walls to protect the CIDR, questions on the security of the servers, access to data during de-duplication and extent of data access to BSPs under the existing contract remain unanswered.

* Priyam Cherian works with the Lawyers Collective and assisted Senior Advocate Anand Grover who argued for Colonel Mathew Thomas in the Aadhaar challenge.